Allocating Kernel Memory from User Space
Now that you've seen how to "properly" allocate kernel memory using module code, let's do it using run-time kernel memory patching. Here is the algorithm (Cesare, 1998, as cited in sd and devik, 2001) we'll be using:
Retrieve the in-memory address of the
mkdir
system call.Save
sizeof(kmalloc)
bytes ofmkdir
.Overwrite
mkdir
withkmalloc
.Call
mkdir
.Restore
mkdir
.
With this algorithm, you are basically patching a system call with your own code, issuing the system call (which will execute your code instead), and then restoring the system call. This algorithm can be used to execute any piece of code in kernel space without a KLD.
However, keep in mind that when you overwrite a system call, any process that issues ...
Get Designing BSD Rootkits now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.